Heartbleed threatens financial channels

April 21st, 2014

(Editor’s note: In this guest essay, Scott Borg, CEO and chief economist at the U.S. Cyber Consequences Unit, outlines why online financial accounts are most exposed to the Heartbleed coding flaw – and why few criminal hackers are in a position to take advantage. The accompanying video conveys an overview of the state of the cyber underground; it comes from  a talk delivered by Borg at the RSA Conference in San Francisco earlier this year. US-CCU is an independent, non-profit research institute that investigates the strategic and economic consequences of cyber-attacks.)

By Scott Borg, Special to Last Watchdog

There seems to be some confusion about what Heartbleed is good for. Heartbleed is primarily useful for retrieving information from webservers that reveals the details of those servers’ recent interactions with clients.

This allows attackers to steal the “handshake” information that is used to authenticate an interaction between a client computer and a webserver. In particular, Heartbleed allows attackers to steal the private keys and other long-term authentication codes that are used to set up  private, encrypted communication sessions.

Borg

Borg

Heartbleed can also allow the attacker to steal enough of the content of the server’s recent communications to capture account numbers and passwords. Together, these pieces of information can allow the attacker to impersonate a client computer without any need to invade that computer.

Criminals using Heartbleed would be able to arrange improper transfers of funds on a fairly large scale, unless the various kinds of authentication codes were changed in time. While Heartbleed can also be used to invade many types of client computers, such as Android phones, potential attackers don’t need Heartbleed to do that. Most Android phones, for example, can already be compromised, using any of several tools currently available from cyber-crime websites.

Sophisticated attackers taking advantage of Heartbleed will be after bigger, more lucrative game than cell phones and credit card numbers. A large portion of the web’s financial channels were potentially in jeopardy.

Fortunately, there were probably not many cyber attackers aware of the Heartbleed vulnerability before the patches for it started to be distributed. Perhaps even more important, there were not enough criminal attackers who understood enough about how financial transactions are carried out to take full advantage of the possibilities Heartbleed opened up.

This means that the biggest opportunities that Heartbleed created for stealing money were mostly closed up before they were much exploited. If there were some large diversions of funds accomplished by using Heartbleed, these will probably never be publicly acknowledged, because the financial institutions in question won’t want to risk encouraging imitators.